<!DOCTYPE html>
<html>

  <head>
    <meta charset='utf-8' />
    <meta http-equiv="X-UA-Compatible" content="chrome=1" />
    <meta name="description" content="CAS - Single Sign-On for the Web" />
    
    
    <link rel="stylesheet" type="text/css" media="screen"
          href="../../stylesheets/v40x-stylesheet.css">
    <link rel="stylesheet" type="text/css" media="print"
          href="../../stylesheets/print.css">
    <title>CAS - Shibboleth Integration</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
    <script src="../../javascripts/URI.js"></script>
    <script src="../../javascripts/v40x-main.js"></script>
  </head>

  <body>
    <!-- HEADER -->
    <div id="header_wrap" class="outer">
        <header class="inner">
          <a id="forkme_banner" href="https://github.com/Jasig/cas">View on GitHub</a>
          <div id="project_title">
            <a class="undecorated" href="../../index.html">
              <img class="undecorated" src="../../images/cas_logo.png"/>
            </a>
          </div>
          <h2 id="project_tagline">Single Sign-On for the Web</h2>
        </header>
    </div>

    <!-- NAVBAR -->    
    <div id="navbar_wrap" class="outer">
      <header id="navbar_content" class="inner">
        <div class="navlink">
  <a href="../../index.html">Home</a>
</div>
<div class="navlink">
  <a href="https://github.com/Jasig/cas/releases">Downloads</a>
</div>
<div class="navlink">
  <a href="https://www.google.com/cse/publicurl?cx=017040929083740828958:sqr2hwvrxmg">Search</a>
</div>
<div class="navlink">
  <a href="../../Support.html">Support</a>
</div>
<div class="navlink">
  <a href="../../Mailing-Lists.html">Mailing Lists</a>
</div>
<div class="navlink">
  <a href="../../Older-Versions.html">Older Versions</a>
</div>

        </header>
    </div>

      <!-- SIDEBAR -->
      <div id="sidebar_wrap" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="sidebartoc"></span>
        </header >
      </div>
      
      <!-- PAGE TABLE OF CONTENTS -->
      <div id="table_contents" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="tableOfContents"></span>
        </header>
      </div>
      
      <!-- MAIN CONTENT -->
      <div id="main_content_wrap" class="outer">
        <section id="main_content" class="inner">
          <h1 id="overview">Overview</h1>
<p>CAS can be integrated with the <a href="http://shibboleth.net/">Shibboleth federated SSO platform</a> by a couple different strategies. It is possible to designate CAS to serve as the authentication provider for the Shibboleth IdP. With such a setup, when user is routed to the IdP, the following may take place:</p>

<ul>
  <li>If the user has already authenticated to CAS and has a valid CAS SSO session, the IdP will transparently perform the requested action, e.g. attribute release.</li>
  <li>If the user does not have a valid CAS SSO session, the user will be redirected to CAS and must authenticate before the IDP proceeds with the requested action.</li>
</ul>

<h2 id="sso-provider-for-shibboleth-idp-remoteuser">SSO Provider for Shibboleth IdP (RemoteUser)</h2>

<h3 id="configuration">Configuration</h3>

<h4 id="include-cas-client-libraries-in-idp-deployable">Include CAS Client Libraries in IdP Deployable</h4>

<p>Download the latest Java CAS Client Release and modify the IdP war deployable such that the following jars are included in the <code>./lib</code> installer folder, then redeploy the Idp with these files:</p>

<pre><code>cas-client-$VERSION/modules/cas-client-core-$VERSION.jar
</code></pre>

<h4 id="modify-shibhomeconfhandlerxml">Modify <code>$SHIB_HOME/conf/handler.xml</code></h4>

<p>Define the <code>RemoteUser</code> authentication method to be used with CAS authentication.</p>

<div class="highlight"><pre><code class="xml"><span class="c">&lt;!-- Remote User handler for CAS support --&gt;</span>
<span class="nt">&lt;LoginHandler</span> <span class="na">xsi:type=</span><span class="s">&quot;RemoteUser&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;AuthenticationMethod&gt;</span>
    urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
  <span class="nt">&lt;/AuthenticationMethod&gt;</span>
  <span class="nt">&lt;AuthenticationMethod&gt;</span>
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  <span class="nt">&lt;/AuthenticationMethod&gt;</span>
<span class="nt">&lt;/LoginHandler&gt;</span>
</code></pre></div>

<h4 id="modify-idp-deployable-webxml">Modify IdP Deployable <code>web.xml</code></h4>
<p>Add the following XML blocks to the <code>web.xml</code> file for the IdP war deployable. </p>

<div class="highlight"><pre><code class="xml"><span class="c">&lt;!-- For CAS client support --&gt;</span>
<span class="nt">&lt;context-param&gt;</span>
  <span class="nt">&lt;param-name&gt;</span>serverName<span class="nt">&lt;/param-name&gt;</span>
  <span class="nt">&lt;param-value&gt;</span>${idp.hostname}<span class="nt">&lt;/param-value&gt;</span>
<span class="nt">&lt;/context-param&gt;</span>
CAS Filters
<span class="c">&lt;!-- CAS client filters --&gt;</span>
<span class="nt">&lt;filter&gt;</span>
  <span class="nt">&lt;filter-name&gt;</span>CAS Authentication Filter<span class="nt">&lt;/filter-name&gt;</span>
  <span class="nt">&lt;filter-class&gt;</span>
      org.jasig.cas.client.authentication.AuthenticationFilter
  <span class="nt">&lt;/filter-class&gt;</span>
  <span class="nt">&lt;init-param&gt;</span>
    <span class="nt">&lt;param-name&gt;</span>casServerLoginUrl<span class="nt">&lt;/param-name&gt;</span>
    <span class="nt">&lt;param-value&gt;</span>${cas.server.url}login<span class="nt">&lt;/param-value&gt;</span>
  <span class="nt">&lt;/init-param&gt;</span>
<span class="nt">&lt;/filter&gt;</span>
 
<span class="nt">&lt;filter-mapping&gt;</span>
  <span class="nt">&lt;filter-name&gt;</span>CAS Authentication Filter<span class="nt">&lt;/filter-name&gt;</span>
  <span class="nt">&lt;url-pattern&gt;</span>/Authn/RemoteUser<span class="nt">&lt;/url-pattern&gt;</span>
<span class="nt">&lt;/filter-mapping&gt;</span>
  
<span class="nt">&lt;filter&gt;</span>
  <span class="nt">&lt;filter-name&gt;</span>CAS Validation Filter<span class="nt">&lt;/filter-name&gt;</span>
  <span class="nt">&lt;filter-class&gt;</span>
    org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
  <span class="nt">&lt;/filter-class&gt;</span>
  <span class="nt">&lt;init-param&gt;</span>
    <span class="nt">&lt;param-name&gt;</span>casServerUrlPrefix<span class="nt">&lt;/param-name&gt;</span>
    <span class="nt">&lt;param-value&gt;</span>${cas.server.url}<span class="nt">&lt;/param-value&gt;</span>
  <span class="nt">&lt;/init-param&gt;</span>
  <span class="nt">&lt;init-param&gt;</span>
    <span class="nt">&lt;param-name&gt;</span>redirectAfterValidation<span class="nt">&lt;/param-name&gt;</span>
    <span class="nt">&lt;param-value&gt;</span>true<span class="nt">&lt;/param-value&gt;</span>
  <span class="nt">&lt;/init-param&gt;</span>
<span class="nt">&lt;/filter&gt;</span>
  
<span class="nt">&lt;filter-mapping&gt;</span>
  <span class="nt">&lt;filter-name&gt;</span>CAS Validation Filter<span class="nt">&lt;/filter-name&gt;</span>
  <span class="nt">&lt;url-pattern&gt;</span>/Authn/RemoteUser<span class="nt">&lt;/url-pattern&gt;</span>
<span class="nt">&lt;/filter-mapping&gt;</span>
  
<span class="nt">&lt;filter&gt;</span>
  <span class="nt">&lt;filter-name&gt;</span>CAS HttpServletRequest Wrapper Filter<span class="nt">&lt;/filter-name&gt;</span>
  <span class="nt">&lt;filter-class&gt;</span>
    org.jasig.cas.client.util.HttpServletRequestWrapperFilter
  <span class="nt">&lt;/filter-class&gt;</span>
<span class="nt">&lt;/filter&gt;</span>
  
<span class="nt">&lt;filter-mapping&gt;</span>
  <span class="nt">&lt;filter-name&gt;</span>CAS HttpServletRequest Wrapper Filter<span class="nt">&lt;/filter-name&gt;</span>
  <span class="nt">&lt;url-pattern&gt;</span>/Authn/RemoteUser<span class="nt">&lt;/url-pattern&gt;</span>
<span class="nt">&lt;/filter-mapping&gt;</span>
</code></pre></div>

<h4 id="enable-remoteuserhandler-in-idp-deployable-webxml">Enable <code>RemoteUserHandler</code> in Idp Deployable <code>web.xml</code></h4>
<p>Ensure the following is defined:</p>

<div class="highlight"><pre><code class="xml"><span class="c">&lt;!-- Servlet protected by container user for RemoteUser authentication --&gt;</span>
<span class="nt">&lt;servlet&gt;</span>
  <span class="nt">&lt;servlet-name&gt;</span>RemoteUserAuthHandler<span class="nt">&lt;/servlet-name&gt;</span>
  <span class="nt">&lt;servlet-class&gt;</span>edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet<span class="nt">&lt;/servlet-class&gt;</span>
<span class="nt">&lt;/servlet&gt;</span>
  
<span class="nt">&lt;servlet-mapping&gt;</span>
  <span class="nt">&lt;servlet-name&gt;</span>RemoteUserAuthHandler<span class="nt">&lt;/servlet-name&gt;</span>
  <span class="nt">&lt;url-pattern&gt;</span>/Authn/RemoteUser<span class="nt">&lt;/url-pattern&gt;</span>
<span class="nt">&lt;/servlet-mapping&gt;</span>
</code></pre></div>

<h2 id="sso-provider-for-shibboleth-idp-external">SSO Provider for Shibboleth IdP (External)</h2>
<p>This is a <a href="https://github.com/Unicon/shib-cas-authn2">Shibboleth IdP external authentication plugin</a> that delegates the authentication to CAS. The advantage of using this component over the plain <code>RemoteUser</code>  solution is the ability to utilize a full range of native CAS protocol features such as <code>renew</code> and <code>gateway</code>. </p>

<h2 id="shibboleth-service-provider-proxy">Shibboleth Service Provider Proxy</h2>
<p>The <a href="https://code.google.com/p/casshib/">CASShib project</a> “Shibbolizes” the CAS server and enables end applications to get authentication information from CAS rather than the Shibboleth Service Provider. CASShib is designed as an alternative to deploying the Shibboleth service provider for each application in order to:</p>

<ul>
  <li>Leverage Shibboleth’s sophisticated attribute release policy functionality to enable attribute releasing to services in the local environment.</li>
  <li>Offer the chance for local applications to easily become federated services.</li>
</ul>

        </section>
      </div>

    <!-- FOOTER  -->
    <div id="footer_wrap" class="outer">
      <footer class="inner">
        <p>CAS is supported by the <a href="http://www.apereo.org/">Apereo Foundation</a>.</p>
      </footer>
    </div>
  </body>
</html>
